Expert IoT Device Pentesting for Connected Security

Firmware extraction is the process of reading the software stored on your device's memory chip — essentially extracting the operating system and application code so we can analyse it for hardcoded passwords, encryption keys, backdoors, insecure configurations, and vulnerable libraries. We use multiple techniques depending on the device: reading firmware directly from flash memory chips using chip-off or JTAG methods, triggering OTA (over-the-air) update mechanisms to capture the firmware in transit, or obtaining firmware from the manufacturer's update server. The process is non-destructive — we do not damage the device. In most cases the device continues to function normally throughout testing.

Pre-production testing is the highest-value IoT security investment you can make. Once a hardware vulnerability is discovered post-launch, fixing it requires a firmware update (best case) or a product recall (worst case). A firmware update can address software flaws, but cannot fix hardware design flaws like exposed debug ports or insecure chip configurations after manufacturing. iSecNet can work with prototype units, EVT/DVT samples, or pre-production builds. Early testing allows you to fix hardware design issues while they're still cheap to change, and gives you a security certificate ready for investor due diligence, retail buyer requirements, and regulatory submissions.

iSecNet tests all major IoT wireless protocols. For Bluetooth and BLE (Bluetooth Low Energy), we test for unauthorised pairing, MITM attacks, replay attacks, and insecure characteristic permissions. For Wi-Fi, we test for WPA2/WPA3 weaknesses, PMKID attacks, and insecure captive portal implementations. For Zigbee and Z-Wave, we test for network key extraction, replay attacks, and device impersonation. For MQTT (the most common IoT messaging protocol), we test for unauthenticated broker access, topic enumeration, and message injection. For LoRa and NB-IoT, we assess join security, device authentication, and data integrity. The specific protocols tested are agreed during scoping based on what your device actually uses.

Consumer and commercial IoT devices (smart locks, wearables, connected appliances, industrial sensors) are the focus of IoT pentesting — these typically run embedded Linux or RTOS, connect via Wi-Fi or cellular, and communicate with cloud APIs. OT (Operational Technology) and ICS (Industrial Control Systems) testing covers PLCs, RTUs, HMIs, SCADA systems, and industrial protocols like Modbus, DNP3, and Profinet — systems where a security failure can cause physical damage, production downtime, or safety incidents rather than just data loss. iSecNet handles both, but the methodology, tooling, and risk tolerance differ significantly. During scoping we'll identify which category your environment falls into and tailor the approach accordingly.

It is never too late, and post-deployment testing is actually very common. The key question is: what can be fixed after deployment? Software and firmware vulnerabilities can be patched via OTA updates. Cloud API and mobile app vulnerabilities can be fixed with no hardware change. Hardware design flaws (exposed debug ports, insecure boot configurations) cannot be patched remotely, but knowing about them allows you to implement compensating controls — network segmentation, cloud-side anomaly detection, or access restrictions. iSecNet's post-deployment assessment focuses on what is fixable and prioritises findings by exploitability and business impact, giving you a clear action plan regardless of deployment stage.

IoT hardening is the process of proactively applying security best practices to a device before it is tested or deployed — disabling unnecessary services, changing default credentials, enabling encrypted boot, locking debug interfaces, and following secure coding guidelines. IoT penetration testing is the process of trying to break a device using real attack techniques to discover what is actually exploitable. Hardening without testing assumes your controls are working correctly. Testing without hardening wastes time finding issues that best practices would have prevented. iSecNet recommends both: use our pre-test hardening checklist to eliminate known baseline weaknesses, then conduct a full pentest to find the vulnerabilities your team didn't anticipate. The result is a much stronger device for the same testing budget.